Et Sikrere Windows Miljø
Olav Tvedt
Deployment Ranger
Agenda
• LM,NTLM,NTLMv2 og Kerberos • Raske Tips For Økt Sikkerhet
LM, NTLM, NTLMv2,
Kerberos
• LM • NTLM • NTLM v2 • KerberoseAn Example LM/NTLM Attack
You Bad guy
“I’d like to log on as Mark”
“I’d like to log on as Mark”
“challenge=39181”
“challenge=39181”
“response=t9$wN”
“congrats, you’re logged in” “response=t9$wN”
NTLMv2
• Forbedrer NTLM/LM svakheten
• Mer unik hash som er sessjons basert • Tids stempel for å forhindre replay
Når blir LM, NTLM og NTLM v2 brukt
• Ved IP kommunikasjon istedet for navn • Når Tiden er skjeiv
• Når klienten ikke er kerberos autentisert
- Ikke domene medlem o.l. (rare os;-) - Nettverksenheter (Print server o.l.)
Unngå LM og NTLM
• Group Policies / Computer Configuration / Windows Settings / Security Settings /
Local Settings / Security Options
• Send LM & NTLM responses
• Send LM & NTLM – NTLMv2 if negotiated • Send NTLM response only
• Send NTLMv2 response only
• Send NTLMv2 response only\refuse LM
• Send NTLMv2 response only\refuse LM & NTLM
Kerberos
• Active Directory bruker Kerberos hvis mulig
• Helt anderledes enn LM/NTLM/NTLMv2, basert på RFC 1510 og andre
Kerberos In Pictures
Meet our players…
Tom…
KDC
wants his DC to…
TOMSPC
log him onto his PC and…
PS
Kerberos In Pictures
To accomplish that…
Tom needs something that gives him the right to talk to those servers
ADMIT ONE
That “something” is called a ticket; there are two kinds
KDC
Tom’s DCs
create both kinds of tickets ADMIT ONE S T -P S
Service tickets get Tom access to services, like the “workstation” service on TOMSPC, or the print server service on PS
ADMIT ONE S T -T W S ADMIT ONE T G T
Ticket Granting Tickets give Tom the
Kerberos
Two tickets, two services
• First you introduce yourself to the KDC by logging on; you only want to have to do this once a day and so you ask the KDC for a “ticket to the
KDC”… that’s the Ticket-Granting Ticket
• That is granted by a piece of the KDC called the “Authentication Service” or AS
• Once you’ve got a TGT, then you can show the TGT to the KDC and say “remember me? Now I need a Service Ticket to such-and-such service” • Service tickets are issued by a different part of the
Kerberos
Why not just one type of ticket?
• A Ticket Granting Ticket is like a Service Ticket in that both are tickets that authenticate you
to some service
• But you usually end up with just one TGT and a bunch of STs
• The reason for two kinds of tickets: under the hood, Kerberos secures every ticket by encrypting some of its data with a password or key
Kerberos
The fundamental reason why Kerberos is
better
• Lots of tickets would mean lots of data encrypted with your password – and that’d mean that
attackers would have more data they could use to try to figure out your password
• So – and here’s the important part – what
Kerberos gives you in the TGT is essentially just a “password
for the day”
• Service ticket-related information is encrypted with the password for the day; only TGT-related
information is encrypted with your actual password – one transaction per day!
14
Sample klist Output
C:\>klist tickets Cached Tickets: (2)
Server: krbtgt/[email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 2/6/2006 4:10:08
Renew Time: 2/12/2006 18:10:08
Server: host/[email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 2/6/2006 4:10:08
Renew Time: 2/12/2006 18:10:08 C:\>
So…
is
Kerberos secure?
• Kerberos depends on a few things
• A good encryption algorithm • The longer the key the better • Keys that can’t be guessed
• lousy passwords
• bad random number generator
• A secure password store – i.e. a physically secure DC
Weaknesses?
• Overall, MS’s Kerberos seems quite good
• RC4 isn’t great as a crypto algorithm (DES is also an option for those who want it) but
neither is it as weak as some would say,
except if bad guys get a lot of crypto
messages encrypted with the same key; KDC session keys keep this down. Go to 2008 domain functional level, however, and you'll go to 256-bit AES.
• I have never heard a complaint about the random number generator
Vista/2008 Side-Note
• If you look at a network trace when Vista or 2008 try to do a Kerberos logon, you'll see that the request to the AS for a TGT always fails the first time
• Vista/2008 deliberately sends a bad packet to find out whether the DC they're talking
to can use AES rather than RC4-HMAC for encryption – the "you failed" return
message from a 2008 DC includes its available encryption abilities by default
Troubleshooting Kerb Events
• You can set Kerberos to log its activity to the System log
• Go to
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
• Add new REG_DWORD value LogLevel, set to 1 • Reboot for it to take effect
Creating Kerberos Logs
• In Parameters, REG_DWORD LogToFile =1 to create an ASCII log file
• KerbDebugLevel (REG_DWORD) sets the verbosity of the log; Google “Kerberos
Authentication Tools and Settings” for a nifty white paper on all the setting values
Raske Tips For Økt
Sikkerhet
Group Policy Settings
• Slå Av Autorun
Windows Server 2003 / XP
- Computer Policy / Computer Configuration / Administrative Templates / System - Turn off Autoplay
Windows Server 2008 / Vista
- Computer Policy / Computer Configuration / Administrative Templates / Windows Components / AutoPlay Policies - Turn off Autoplay
• UAC tuning
- Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - User Acces Control:*
• NTLM tuning
-Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - Network Security: LAN Manager Authentication Level
Group Policy Settings
• Bruker tilgang
-Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Right Assignment - Access this computer from the network
• Endre lokale grupper
Windows Server 2008
Network Access
Protection
Hva er NAP
Hjelper med å opprettholde health policiene for nettverkstilgang
Hjelper med å opprettholde health policiene for nettverkstilgang
Health policy godkjenning Health policy oppdatering Begrensett tilgang
Når bruke NAP
• Verifisere statusen på bærbare pc’er (Roaming) • Verifisere statusen på stasjonære pc’er
• Verifisere statusen på gjeste pc’er
• Verifisere statusen på unmanaged hjemme pc’er
Virker kun for Windows Server 2008, Windows Vista og Windows XP med Service Pack 3
Komponenter i NAP
• Enforcement Servere og Clienter (ES og EC)
• SHA og SHV (System Health Agents / System Health Validators)
• Enforcement komponenter og metoder - HRA (Health Registration Authority)
- IPSec
- IEEE 802.1x - VPN
- DHCP
• NPS (Network Policy Servers)
• Remediation Servers
Enforcement Servere og Clienter
• NAP Kompatible Klinter og Servere: - Microsoft Windows Server 2008 - Microsoft Windows Vista
SHA og SHV
• Windows Security Health Agents/Validators
• Firewall
• Virus Protection
• Spyware Protection
• Automatic Updating
• Security Update Protection
• SMSSHA (SCCM2007/SMSv4)
• Tredjeparts SHA f.esk TCASHA (CA, Inc./eTrust)
• Egne SHA/SHV
• Bitlocker
• Strong Password
System Health Agents
• WSHA • Firewall • Virus Protection • Spyware Protection • Automatic Updating• Security Update Protection
• SMSSHA (SCCM2007/SMSv4) • CASHA (CA, Inc./eTrust)
• Custom SHA/SHV?
• Bitlocker
• Strong Password
IPSec
• IPSec isolering av nettet
• Bruker HRA health sertifikat for autentisering
• Sikreste NAP funksjonen
Health Registration
Authority
• Windows Server 2008 IIS • Klient sertifikater fra CA
IEEE 802.1x
• Authenticating Ethernet Switch
VPN
• Ekstra lag i tillegg til vanlig VPN regler • Ikke det samme som Network Access
DHCP
• Minimum 2 serier med addresser - Begrenset nett
- Ubegrenset nett • Lease og Renewal
NPS
• NAP Policy server
• Erstatter RADIUS Server • AAA
- Authentication - Authorization - Accounting
Remediation Servers
• Tilgjengelig i det begrensede nettverket • Medisin server
• Info Til Klienter • Typiske Roler:
- Dns
- Antivirus Server - Wsus
Begrenset nettverk
• Seperat logisk eller fysisk nettverk • Innholder:
- Remediation Servers
Restricted Network
Hvordan virker NAP
1
1
Client requests access to network and presents current health state 1 1 Windows Client 2 2 2
2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
3
3
3
3 Network Policy Server (NPS) validates against IT-defined health policy
Policy Servers
such as: Patch, AV
4
4 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy Not policy compliant compliant Fix Up Servers Example: Patch 5
5 If policy compliant, client is granted full access to corporate network
Policy Policy compliant compliant MSFT NPS Corporate Network 5 5 4 4 DHCP, VPN Switch/Router
Brukerens opplevelse
• Forståelige meldinger
Brukerens opplevelse
•• Forståelige meldinger
